kernel panic at /syzkaller/managers/main/kernel/kern/include/kref.h:68, from core 3: assertion failed: kref_refcnt(kref) > 0 Stack Backtrace on Core 3: #01 [<0xffffffffc200a38c>] in backtrace at src/kdebug.c:229 #02 [<0xffffffffc2009b25>] in _panic at src/init.c:267 #03 [<0xffffffffc203115b>] in kref_put at include/kref.h:68 #04 [<0xffffffffc2031828>] in cclose at src/ns/chan.c:334 #05 [<0xffffffffc2036e4a>] in devwalk at src/ns/dev.c:222 #06 [<0xffffffffc2083f7f>] in randomwalk at drivers/dev/random.c:131 #07 [<0xffffffffc20329bd>] in walk at src/ns/chan.c:809 #08 [<0xffffffffc2033429>] in __namec_from at src/ns/chan.c:1139 #09 [<0xffffffffc2034013>] in namec at src/ns/chan.c:1517 #10 [<0xffffffffc20413e6>] in sysopenat at src/ns/sysfile.c:592 #11 [<0xffffffffc205940f>] in sys_openat at src/syscall.c:1724 #12 [<0xffffffffc205a019>] in syscall at src/syscall.c:2465 #13 [<0xffffffffc205a1f8>] in run_local_syscall at src/syscall.c:2500 #14 [<0xffffffffc205a739>] in prep_syscalls at src/syscall.c:2520 #15 [<0xffffffffc20abee2>] in sysenter_callwrapper at arch/x86/trap.c:854 Unhandled user trap in vcore context from VC 0 kernel panic at kern/src/ns/chan.c:332, from core 2: cclose 0x0000000000000000 Stack Backtrace on Core 2: #01 [<0xffffffffc200a38c>] in backtrace at src/kdebug.c:229 #02 [<0xffffffffc2009b25>] in _panic at src/init.c:267 #03 [<0xffffffffc203184a>] in cclose at src/ns/chan.c:332 #04 [<0xffffffffc2033251>] in walk_symlink at src/ns/chan.c:1703 #05 [<0xffffffffc203323c>] in walk_symlink at src/ns/chan.c:1701 #06 [<0xffffffffc203323c>] in walk_symlink at src/ns/chan.c:1701 #07 [<0xffffffffc203323c>] in walk_symlink at src/ns/chan.c:1701 #08 [<0xffffffffc203323c>] in walk_symlink at src/ns/chan.c:1701 #09 [<0xffffffffc203323c>] in walk_symlink at src/ns/chan.c:1701 #10 [<0xffffffffc2032d52>] in walk at src/ns/chan.c:872 #11 [<0xffffffffc2033429>] in __namec_from at src/ns/chan.c:1139 #12 [<0xffffffffc2034013>] in namec at src/ns/chan.c:1517 #13 [<0xffffffffc203dd55>] in sysremove at src/ns/sysfile.c:841 #14 [<0xffffffffc20561b5>] in sys_unlink at src/syscall.c:1926 #15 [<0xffffffffc205a019>] in syscall at src/syscall.c:2465 #16 [<0xffffffffc205a1f8>] in run_local_syscall at src/syscall.c:2500 #17 [<0xffffffffc205a739>] in prep_syscalls at src/syscall.c:2520 #18 [<0xffffffffc20abee2>] in sysenter_callwrapper at arch/x86/trap.c:854 HW TRAP frame (partial) at 0xffffffffc8995e20 on core 1 rax 0x000000005a5a4e80 rbx 0x0000300000006e90 rcx 0x0000000000000150 rdx 0x000010000000a4c0 rbp 0x0000300000006e80 rsi 0x000010000000a5c0 rdi 0x000000005a5a4f80 r8 0x000000005a5a5a5a ROS(Core 3)> r9 0x000000005a5a4e80 r10 0x0000000000000000 r11 0x0000000000000200 r12 0x000000000040feb0 r13 0x000010000000a4c0 r14 0x0000000000000004 r15 0x00007f7fffa01200 trap 0x0000000e Page Fault gsbs 0x0000000000000000 fsbs 0x0000000000000000 err 0x--------00000006 rip 0x000000000040fc96 cs 0x------------0023 flag 0x0000000000010202 rsp 0x0000300000006d80 ss 0x------------001b err 0x6 (for PFs: User 4, Wr 2, Rd 1), aux 0x000000005a5a4f80 Addr 0x000000000040fc96 is in syz-executor at offset 0x000000000000fc96 VM Regions for proc 100 NR: Range: Prot, Flags, File, Off 00: (0x0000000000400000 - 0x00000000004b5000): 0x00000005, 0x00000001, 0xffff80000634f820, 0x0000000000000000 01: (0x00000000004b5000 - 0x00000000004b6000): 0x00000005, 0x00000002, 0xffff80000634f820, 0x00000000000b5000 02: (0x00000000006b6000 - 0x00000000006b9000): 0x00000003, 0x00000002, 0xffff80000634f820, 0x00000000000b6000 03: (0x00000000006b9000 - 0x00000000008e5000): 0x00000003, 0x00000002, 0x0000000000000000, 0x0000000000000000 04: (0x0000000020000000 - 0x0000000021000000): 0x00000007, 0x00000022, 0x0000000000000000, 0x0000000000000000 05: (0x0000100000000000 - 0x0000100000024000): 0x00000007, 0x00000022, 0x0000000000000000, 0x0000000000000000 06: (0x0000300000000000 - 0x0000300000001000): 0x00000003, 0x00000002, 0xffff80000634f820, 0x0000000000000000 07: (0x0000300000001000 - 0x0000300000005000): 0x00000003, 0x00000022, 0x0000000000000000, 0x0000000000000000 08: (0x0000300000005000 - 0x0000300000007000): 0x00000007, 0x00000022, 0x0000000000000000, 0x0000000000000000 09: (0x0000300000007000 - 0x0000300000019000): 0x00000003, 0x00000022, 0x0000000000000000, 0x0000000000000000 10: (0x0000300000019000 - 0x000030000003d000): 0x00000007, 0x00000022, 0x0000000000000000, 0x0000000000000000 11: (0x00007f7fff8ff000 - 0x00007f7fff9ff000): 0x00000003, 0x00000022, 0x0000000000000000, 0x0000000000000000 Backtrace of user context on Core 1: Offsets only matter for shared libraries #01 Addr 0x000000000040fc96 is in syz-executor at offset 0x000000000000fc96 #02 Addr 0x00000000004100be is in syz-executor at offset 0x00000000000100be #03 Addr 0x000000000041566d is in syz-executor at offset 0x000000000001566d #04 Addr 0x0000000000407f5b is in syz-executor at offset 0x0000000000007f5b #05 Addr 0x0000000000414ac0 is in syz-executor at offset 0x0000000000014ac0 #06 Addr 0x000000000040848a is in syz-executor at offset 0x000000000000848a #07 Addr 0x0000000000403e79 is in syz-executor at offset 0x0000000000003e79 #08 Addr 0x00000000004147ec is in syz-executor at offset 0x00000000000147ec #09 Addr 0x00000000004147f1 is in syz-executor at offset 0x00000000000147f1